Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

McAfee VirusScan 8.8 Managed Client STIG

  • Version/Release: V5R21
  • Published: 2019-09-24
  • Released: 2019-10-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The McAfee VirusScan Managed Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
c
McAfee VirusScan On-Access General Policies must be configured to enable on-access scanning at system startup.
SI-3 - High - CCI-001242 - V-6453 - SV-55134r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
DTAM001
Vuln IDs
  • V-6453
Rule IDs
  • SV-55134r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase. System Administrator
Checks: C-48772r3_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Enable on-access scanning:" label. Ensure the "Enable on-access scanning at system startup" option is selected. Criteria: If the "Enable on-access scanning at startup" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bStartDisabled is 0, this is not a finding. If the value is 1, this is a finding.

Fix: F-47991r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Enable on-access scanning:" label. Select the "Enable on-access scanning at system startup" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to scan boot sectors.
SI-3 - Medium - CCI-001242 - V-6467 - SV-55135r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM002
Vuln IDs
  • V-6467
Rule IDs
  • SV-55135r1_rule
Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system. System Administrator
Checks: C-48773r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Ensure the "Boot Sectors" option is selected. Criteria: If the "Boot Sectors" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bDontScanBootSectors is 0, this is not a finding. If the value is 1, this is a finding.

Fix: F-47992r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Select the "Boot Sectors" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to scan floppy during shutdown.
SI-3 - Medium - CCI-001242 - V-6468 - SV-55139r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM003
Vuln IDs
  • V-6468
Rule IDs
  • SV-55139r1_rule
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.System Administrator
Checks: C-48774r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Ensure the "Floppy during shutdown" option is selected. Criteria: If the "Floppy during shutdown" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bScanFloppyonShutdown is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-47997r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Scan:" label. Select the "Floppy during shutdown" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to notify local users when detections occur.
SC-18 - Medium - CCI-001662 - V-6469 - SV-55141r1_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001662
Version
DTAM004
Vuln IDs
  • V-6469
Rule IDs
  • SV-55141r1_rule
"An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling. Ensuring the antivirus software alerts the users when malware is detected will ensure the user is informed of the incident and be able to more closely relate the incident to actions being performed by the user at the time of the detection." System Administrator
Checks: C-48775r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "User message:" label. Ensure the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected. Criteria: If the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of Alert_AutoShowList is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48000r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "User message:" label. Select the "Show the messages dialog box when a threat is detected and display the specified text in the message" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to prevent users from removing messages from the list.
SI-3 - Medium - CCI-001242 - V-6470 - SV-55144r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM005
Vuln IDs
  • V-6470
Rule IDs
  • SV-55144r1_rule
Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic analysis would be inhibited. System Administrator
Checks: C-48776r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected. Criteria: If the "Remove messages from the list" option is NOT selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of Alert_UsersCanRemove is 0, this is not a finding. If the value is 1, this is a finding.

Fix: F-48001r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Messages tab, locate the "Actions available to user:" label. Uncheck the "Remove messages from the list" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to log the scan sessions.
SI-3 - Medium - CCI-001242 - V-6474 - SV-55145r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM009
Vuln IDs
  • V-6474
Rule IDs
  • SV-55145r1_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Checks: C-48777r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log to file:" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLogtoFile is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48004r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
McAfee VirusScan On-Access General Policies log file size must be restricted and be configured to at least 10MB.
SI-3 - Medium - CCI-001242 - V-6475 - SV-55147r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM010
Vuln IDs
  • V-6475
Rule IDs
  • SV-55147r1_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorECSC-1
Checks: C-48778r3_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log file size:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding. If bLimitSize is 0, this is a finding. If dwMaxLogSizeMB is less than Decimal (10), this is a finding.

Fix: F-48005r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", input a value of at least 10MB or more. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to log the session summary.
SI-3 - Medium - CCI-001242 - V-6478 - SV-55148r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM012
Vuln IDs
  • V-6478
Rule IDs
  • SV-55148r1_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System Administrator
Checks: C-48779r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Session summary" option is selected. Criteria: If the "Session summary" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bLogSummary is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48006r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to log any failure to scan encrypted files.
SI-3 - Medium - CCI-001242 - V-6583 - SV-55149r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM013
Vuln IDs
  • V-6583
Rule IDs
  • SV-55149r1_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file, so although the file size is restricted, it must also be large enough to retain forensic value. System Administrator
Checks: C-48780r3_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value ReportEncryptedFiles is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48007r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option. Select Save.

b
McAfee VirusScan must be configured to receive DAT and Engine updates.
SI-3 - Medium - CCI-001247 - V-6585 - SV-55151r4_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001247
Version
DTAM016
Vuln IDs
  • V-6585
Rule IDs
  • SV-55151r4_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection. System Administrator
Checks: C-48781r7_chk

Note: Automatic updates to antivirus signature definitions are to be performed once every 24 hours for hosts connected to the network. From the ePO server console System Tree, select the "Systems" tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. Verify there is a Product Update task type enabled. Select the Task Name, locate the "Package Types:" label. Ensure Engine and DAT are selected. Criteria: If a Product update is Enabled with Engine and DAT selected, and scheduled for at least a daily update, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the task type. In this case, TaskType=update is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Settings] Enabled=1 and [Schedule] Type=0, this is not a finding.

Fix: F-48009r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset for the task assignment, select Actions, select Agent, and Select Modify Tasks on a Single System. Select Actions, and select New Client Task Assignment. In the Task to Schedule: area, select McAfee Agent for the product. Select Product Update for the Task Type. Select Create New Task. Provide a descriptive name for the task. Locate the "Package Types:" label. Select the "Engine" and "DAT" options. Select Save. On the Schedule page, locate the "Schedule Status:" label, and select the "Enabled" option. Locate the "Schedule type:" label, and from the pull down menu, select at least "Daily". Select Next. On the Summary page, verify the settings and select Save. Update the client machine.

b
McAfee VirusScan On-Delivery Email Scan Policies must be configured to enable on-delivery email scanning.
SC-18 - Medium - CCI-001170 - V-6586 - SV-55153r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
DTAM021
Vuln IDs
  • V-6586
Rule IDs
  • SV-55153r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48782r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Scan Items tab, locate the "Scanning of email:" label. Ensure the "Enable on-delivery email scanning" option is selected. Criteria: If the "Enable on-delivery email scanning" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\GeneralOptions Criteria: If the value bEnabled is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48011r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Scanning of email:" label. Select the "Enable on-delivery email scanning" option. Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies must be configured to find unknown program threats and Trojans.
SC-18 - Medium - CCI-001662 - V-6587 - SV-55169r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001662
Version
DTAM022
Vuln IDs
  • V-6587
Rule IDs
  • SV-55169r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48783r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats and trojans" option is selected. Criteria: If the "Find unknown program threats and trojans" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48023r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option. Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies must be configured to find unknown macro threats.
SC-18 - Medium - CCI-001662 - V-6588 - SV-55171r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001662
Version
DTAM023
Vuln IDs
  • V-6588
Rule IDs
  • SV-55171r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48784r3_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48024r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies must be configured to decode MIME encoded files.
SC-18 - Medium - CCI-001170 - V-6590 - SV-55174r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
DTAM027
Vuln IDs
  • V-6590
Rule IDs
  • SV-55174r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48786r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Decode MIME encoded files" option is selected. Criteria: If the "Decode MIME encoded files" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value ScanMime is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48028r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Locate in the Category column the On Delivery Email Scan Policies. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Decode MIME encoded files" option. Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies must be configured to scan email message body.
SC-18 - Medium - CCI-001170 - V-6591 - SV-55177r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
DTAM028
Vuln IDs
  • V-6591
Rule IDs
  • SV-55177r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48787r3_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Email message body (for Microsoft Outlook only):" label. Ensure the "Scan email message body" option is selected. Criteria: If the option "Scan email message body" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions Criteria: If the value ScanMessageBodies is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48030r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Email message body (for Microsoft Outlook only):" label. Select the "Scan email message body" option. Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies, when a threat is found, must be configured to clean attachments as the first action.
SI-3 - Medium - CCI-001243 - V-6592 - SV-55178r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM029
Vuln IDs
  • V-6592
Rule IDs
  • SV-55178r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email. System Administrator
Checks: C-48788r5_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that for the "Perform this action first:" pull down menu, "Clean attachments" is selected. Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uAction is not 5, this is a finding.

Fix: F-48032r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. For the "Perform this action first:" pull down menu, select "Clean attachments". Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies must be configured to record scanning activity in a log file.
AU-3 - Medium - CCI-000130 - V-6596 - SV-55187r2_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
DTAM035
Vuln IDs
  • V-6596
Rule IDs
  • SV-55187r2_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System Administrator
Checks: C-48790r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Reports tab, locate the "Log to file:" label. Ensure that "Enable activity logging and accept the default location for the log file or specify a new location" is selected. Criteria: If the option "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If the value bLogToFile is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48041r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies log file size must be restricted and be configured to be at least 10MB.
AU-5 - Medium - CCI-000140 - V-6597 - SV-55188r2_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
DTAM036
Vuln IDs
  • V-6597
Rule IDs
  • SV-55188r2_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System Administrator
Checks: C-48791r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Reports tab, locate the "Log file size" label. Criteria: If the "Limit the size of log file" is checked and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If both the value of bLimitSize is 1 and the value of dwMaxLogSizeMB is at least decimal (10), this is not a finding.

Fix: F-48042r4_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to scan all fixed, or local, disks and running processes.
SI-3 - Medium - CCI-001241 - V-6599 - SV-55191r4_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM045
Vuln IDs
  • V-6599
Rule IDs
  • SV-55191r4_rule
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System Administrator
Checks: C-48794r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Locations to scan:" label. Ensure the "All fixed drives" or "All local drives" and "Running processes" options are displayed. Criteria: If "All fixed drives" or "All local drives" and "Running processes" are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [ScanItems] szScanItemX=All fixed drives or szScanItemX=All local drives, and [ScanItems] scScanItemX=SpecialMemory are present, this is not a finding. For the values of szScanItemX, the character X represents some integer =>0. Example: szScanItem0=All fixed disks, szScanItem1=SpecialMemory.

Fix: F-48045r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Locations tab, locate the "Locations to scan:" label. In the drop-down menus, select "All fixed drives" or "All local drives" and "Running processes". Select Save.

b
McAfee VirusScan On-Demand scan must be configured to scan all subfolders.
SI-3 - Medium - CCI-001241 - V-6600 - SV-55192r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM046
Vuln IDs
  • V-6600
Rule IDs
  • SV-55192r3_rule
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System Administrator
Checks: C-48795r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Include subfolders" option is selected. Criteria: If "Include subfolders" is selected, this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Where] bScanSubDirs=1, this is not a finding.

Fix: F-48046r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Locations tab, locate the "Scan options:" label. Select the "Include subfolders" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to scan boot sectors.
SI-3 - Medium - CCI-001241 - V-6601 - SV-55193r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM047
Vuln IDs
  • V-6601
Rule IDs
  • SV-55193r3_rule
Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.System Administrator
Checks: C-48796r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Scan boot sectors" option is selected. Criteria: If "Scan boot sectors" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Where] bSkipBootScan=0, this is not a finding.

Fix: F-48047r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Locations tab, locate the "Scan options:" label. Select the "Scan boot sectors" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to scan all files.
SI-3 - Medium - CCI-001241 - V-6602 - SV-55194r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM048
Vuln IDs
  • V-6602
Rule IDs
  • SV-55194r3_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. System Administrator
Checks: C-48797r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "File types to scan:" label. Ensure the "All files" option is selected. Criteria: If "All files" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] bScanAllFiles=1, this is not a finding.

Fix: F-48048r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "File types to scan:" label. Select the "All files" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured so there are no exclusions from the scan unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
SI-3 - Medium - CCI-001241 - V-6604 - SV-55195r4_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM050
Vuln IDs
  • V-6604
Rule IDs
  • SV-55195r4_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. System Administrator
Checks: C-48798r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Exclusions tab, locate the "What not to scan:" label. Ensure that no items are listed in this area. Criteria: If no items are listed in the "What not to scan:" area, this is not a finding. If excluded items exist, and they are documented with and approved by the ISSO/ISSM/DAA, this is not a finding. If excluded items exist, and they are not documented with and approved by the ISSO/ISSM/DAA, this is a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Exclusions] dwExclusionCount=0, this is not a finding. Criteria: If dwExclusionCount is not set to 0, ensure the justification for exclusions found have been documented with the ISSO/ISSM/DAA. If exclusions are documented with the ISSO/ISSM/DAA, this is not a finding. If exclusions have not been documented, this is a finding.

Fix: F-48049r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Exclusions tab, locate the "What not to scan:" label. Ensure that no items are listed in this area.

b
McAfee VirusScan On-Demand scan must be configured to scan inside archives.
SI-3 - Medium - CCI-001241 - V-6611 - SV-55196r4_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM052
Vuln IDs
  • V-6611
Rule IDs
  • SV-55196r4_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System Administrator
Checks: C-48799r4_chk

NOTE: This setting must be configured. Exclusions for specific extensions may be created. Exclusions must be documented with, and approved by, the local ISSO/ISSM. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "Options:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected. Criteria: If "Scan inside archives (e.g. .ZIP)" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] ScanArchives=1, this is not a finding.

Fix: F-48050r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "Options:" label. Select the "Scan inside archives (e.g. .ZIP)" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to decode MIME encoded files.
SI-3 - Medium - CCI-001241 - V-6612 - SV-55197r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM053
Vuln IDs
  • V-6612
Rule IDs
  • SV-55197r3_rule
Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scan tasks will mitigate this risk. System Administrator
Checks: C-48800r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "Options:" label. Ensure the "Decode MIME encoded files" option is selected. Criteria: If "Decode MIME encoded files" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [What] ScanMIME=1, this is not a finding.

Fix: F-48051r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "Options:" label. Select the "Decode MIME encoded files" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to find unknown program threats.
SI-3 - Medium - CCI-001241 - V-6614 - SV-55199r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM054
Vuln IDs
  • V-6614
Rule IDs
  • SV-55199r3_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System Administrator
Checks: C-48801r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats" option is selected. Criteria: If "Find unknown program threats" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Advanced] dwProgramHeuristicsLevel=1, this is not a finding.

Fix: F-48054r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats" option. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to find unknown macro threats.
SI-3 - Medium - CCI-001241 - V-6615 - SV-55201r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM055
Vuln IDs
  • V-6615
Rule IDs
  • SV-55201r3_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and script that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero day attacks. System Administrator
Checks: C-48802r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If "Find unknown macro threats" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Advanced] dwMacroHeuristicsLevel=1, this is not a finding.

Fix: F-48055r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Select Save.

b
McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to clean files automatically as first action.
SI-3 - Medium - CCI-001243 - V-6616 - SV-55203r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM056
Vuln IDs
  • V-6616
Rule IDs
  • SV-55203r3_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network. System Administrator
Checks: C-48803r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "Perform this action first:" pull down menu, "Clean files" is selected. Criteria: If "Clean files" is selected for "Perform this action first", this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Action] uAction is not set to 5, this is a finding.

Fix: F-48057r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean files". Select Save.

b
McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to delete files automatically if first action fails.
SI-3 - Medium - CCI-001243 - V-6617 - SV-55204r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM057
Vuln IDs
  • V-6617
Rule IDs
  • SV-55204r3_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network. System Administrator
Checks: C-48804r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete files" is selected. Criteria: If "Delete files" is selected for "If the first action fails, then perform this action:", this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Action] uSecAction is not set to 4, this is a finding.

Fix: F-48060r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files". Select Save.

b
McAfee VirusScan On-Demand scan must be configured to record scanning activity in a log file.
SI-3 - Medium - CCI-001241 - V-6618 - SV-55209r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM059
Vuln IDs
  • V-6618
Rule IDs
  • SV-55209r3_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Checks: C-48806r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Reports tab, locate the "Log to file:" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogToFile=1, this is not a finding.

Fix: F-48064r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
McAfee VirusScan On-Demand scan log file size must be restricted and be configured to at least 10MB.
SI-3 - Medium - CCI-001241 - V-6620 - SV-55211r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM060
Vuln IDs
  • V-6620
Rule IDs
  • SV-55211r3_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System Administrator
Checks: C-48807r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". Locate the "Task to Schedule:" label. Verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Reports tab, locate the "Log file size:" label. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If the value of bLimitSize value is not 1, this is a finding. If the uKilobytes is less than 10240 (Decimal), this is a finding. If the bLimitSize value is 1 and the uKilobytes value is 10240 (Decimal) or more, this is not a finding.

Fix: F-48066r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more. Select Save.

b
McAfee VirusScan On-Demand scan must be configured to log any failure to scan encrypted files.
SI-3 - Medium - CCI-001241 - V-6625 - SV-55212r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM063
Vuln IDs
  • V-6625
Rule IDs
  • SV-55212r3_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.System Administrator
Checks: C-48808r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". Locate the "Task to Schedule:" label. Verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected. Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Reports] bLogScanFailure=1, this is not a finding.

Fix: F-48067r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option. Select Save.

b
McAfee VirusScan On-Demand scan must be scheduled to be executed at least on a weekly basis.
SI-3 - Medium - CCI-001241 - V-6627 - SV-55213r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM070
Vuln IDs
  • V-6627
Rule IDs
  • SV-55213r3_rule
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected. System Administrator
Checks: C-48809r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". Select "Edit Assignment" in the Actions column. In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". Select the Summary tab. Locate the "Schedule:" label. Ensure the Status is "Enabled" and that the Type is at least "Weekly". Criteria: If the Scheduled Status: is "Enabled" and the Schedule Type: is at least "Weekly", this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Settings] Enabled=1 and [Schedule] Type=0 the schedule is daily, this is not a finding. If [Settings] Enabled=1 and [Schedule] Type=1 the schedule is weekly, this is not a finding.

Fix: F-48069r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". Select "Edit Assignment" in the Actions column. In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". Select the schedule page. Locate the "Schedule type:" label. For the pull down menu, select "Weekly". Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to enable scanning of scripts.
SI-3 - Medium - CCI-001242 - V-14618 - SV-55214r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM090
Vuln IDs
  • V-14618
Rule IDs
  • SV-55214r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of scripts is crucial in preventing these attacks. System AdministratorInformation Assurance Officer
Checks: C-48810r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan:" label. Ensure the "Enable scanning of scripts" option is selected. Criteria: If the "Enable scanning of scripts" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the value of ScriptScanEnabled is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48070r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan:" label. Select the "Enable scanning of scripts" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to block the connection when a threatened file is detected in a shared folder.
SI-3 - Medium - CCI-001242 - V-14619 - SV-55217r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM091
Vuln IDs
  • V-14619
Rule IDs
  • SV-55217r1_rule
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Checks: C-48811r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Ensure the "Block the connection when a threatened file is detected in a shared folder" option is selected. Criteria: If the "Block the connection when a threatened file is detected in a shared folder" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlock is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48072r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Select the "Block the connection when a threatened file is detected in a shared folder" option. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to unblock connections after a minimum of 30 minutes.
SI-3 - Medium - CCI-001242 - V-14620 - SV-55219r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM092
Vuln IDs
  • V-14620
Rule IDs
  • SV-55219r1_rule
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Checks: C-48812r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Ensure the "Unblock connections after x minutes" option has x set to no less than 30 minutes. Criteria: If the "Unblock connections after x minute(s)" option is configured to no less than 30 minutes, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlockTimeout >= to HEX 1E, this is not a finding.

Fix: F-48073r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block the connection:" label. Enter a value in "Unblock connections after x minutes" where x is set to no less than 30 minutes. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to block the connection when a file with a potentially unwanted program is detected in a shared folder.
SI-3 - Medium - CCI-001242 - V-14621 - SV-55221r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM093
Vuln IDs
  • V-14621
Rule IDs
  • SV-55221r1_rule
Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism. These block connection settings will most often be used on a server housing shared folders and files and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders but will be re-blocked should those same file accesses be attempted.System AdministratorInformation Assurance Officer
Checks: C-48813r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block" label. Ensure the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option is checked. Criteria: If the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of VSIDBlockOnNonVirus is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48075r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option. Select OK to Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to use only one scanning policy for all processes, unless the use of Low-Risk Processes/High-Risk Processes has been documented with, and approved by, the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-14622 - SV-55222r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM100
Vuln IDs
  • V-14622
Rule IDs
  • SV-55222r1_rule
Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates through the organizations. Some processes are known to be higher risk while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings, and will provide the highest level of protection. Best practice dictates configuring Low-Risk and/or High-Risk policies only when it is necessary to improve system performance and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low-Risk and/or High-Risk policies for the purpose of specifically excluding processes from scanning, and should only be done after evaluating other policy settings and determining risk. System AdministratorInformation Assurance Officer
Checks: C-48814r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Processes tab, locate the "Process Settings:" label. Ensure the "Configure one scanning policy for all processes" option is selected. Criteria: If the "Configure one scanning policy for all processes" option is selected, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has been documented with, and approved by, the IAO/IAM, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk Processes has not been documented/approved by the IAO/IAM, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value OnlyUseDefaultConfig is 1, this is not a finding. If the value is 0 and the use of Low-Risk Processes/High-Risk Processes has not been documented and approved by the IAO/IAM, this is a finding.

Fix: F-48078r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Processes tab, locate the "Process Settings:" label. Select the "Configure one scanning policy for all processes" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to scan when writing to disk.
SI-3 - Medium - CCI-001242 - V-14623 - SV-55224r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM101
Vuln IDs
  • V-14623
Rule IDs
  • SV-55224r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks. System AdministratorInformation Assurance Officer
Checks: C-48815r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When writing to disk" option is selected. Criteria: If the "When writing to disk" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value bScanIncoming is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48079r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Select the "When writing to disk" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to scan when reading from disk.
SI-3 - Medium - CCI-001242 - V-14624 - SV-55225r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM102
Vuln IDs
  • V-14624
Rule IDs
  • SV-55225r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks. System AdministratorInformation Assurance Officer
Checks: C-48816r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When reading from disk" option is selected. Criteria: If the "When reading from disk" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value bScanOutgoing is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48081r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Scan files:" label. Select the "When reading from disk" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to scan all files.
SI-3 - Medium - CCI-001242 - V-14625 - SV-55228r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM103
Vuln IDs
  • V-14625
Rule IDs
  • SV-55228r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. System AdministratorInformation Assurance Officer
Checks: C-48818r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "File Types to Scan:" label. Ensure the "All Files" radio button is selected. Criteria: If the "All Files" radio button is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value LocalExtensionMode is 1 and the value of NetworkExtensionMode is 1, this is not a finding. If either of these is not 1, this is a finding.

Fix: F-48083r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "File Types to Scan:" label. Select the "All Files" radio button option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown unwanted programs and trojans.
SI-3 - Medium - CCI-001242 - V-14626 - SV-55230r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM104
Vuln IDs
  • V-14626
Rule IDs
  • SV-55230r1_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System AdministratorInformation Assurance Officer
Checks: C-48820r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown unwanted program threats and trojans" option is selected. Criteria: If the "Find unknown unwanted programs and trojans" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48085r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown unwanted programs and trojans" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown macro viruses.
SI-3 - Medium - CCI-001242 - V-14627 - SV-55231r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM105
Vuln IDs
  • V-14627
Rule IDs
  • SV-55231r1_rule
Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. System AdministratorInformation Assurance Officer
Checks: C-48821r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected. Criteria: If the "Find unknown macro threats" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48086r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to scan inside archives.
SI-3 - Medium - CCI-001242 - V-14628 - SV-55232r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM106
Vuln IDs
  • V-14628
Rule IDs
  • SV-55232r3_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. System Administrator
Checks: C-48822r5_chk

NOTE: This requirement can be left not configured and marked as Not Applicable if the regularly scheduled on-demand scan, as validated under V-6611, DTAM052, includes the scanning of archive files. From the ePO server console System Tree, select the "Systems" tab, select the asset to be checked, select "Actions", select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected. Criteria: If the "Scan inside archives (e.g. .ZIP)" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value ScanArchives is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48087r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g. .ZIP)" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies Actions for When a threat is found must be configured to clean files automatically as first action.
SI-3 - Medium - CCI-001242 - V-14630 - SV-55233r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM110
Vuln IDs
  • V-14630
Rule IDs
  • SV-55233r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware does is not introduced onto the system or network. System AdministratorInformation Assurance Officer
Checks: C-48823r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that for the "Perform this action first:" pull down menu, "Clean files automatically" is selected. Criteria: If "Clean files automatically" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value for uAction is not 5, this is a finding.

Fix: F-48088r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean files automatically". Select Save.

b
McAfee VirusScan On-Access Default Processes Policies actions for When a threat is found must be configured delete files automatically if first action fails.
SI-3 - Medium - CCI-001242 - V-14631 - SV-55234r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM111
Vuln IDs
  • V-14631
Rule IDs
  • SV-55234r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware does is not introduced onto the system or network. System AdministratorInformation Assurance Officer
Checks: C-48824r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete files automatically" is selected. Criteria: If "Delete files automatically" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value for uSecAction is not 4, this is a finding.

Fix: F-48089r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically". Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies must be configured to clean attachments as the first action for when an unwanted program is found.
SI-3 - Medium - CCI-001243 - V-14652 - SV-55189r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM039
Vuln IDs
  • V-14652
Rule IDs
  • SV-55189r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.System AdministratorInformation Assurance Officer
Checks: C-48792r4_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure that from the "Perform this action first:" pull down menu, "Clean attachments" is selected. Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uAction_Program is not 5, this is a finding.

Fix: F-48043r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments". Select Save.

b
McAfee VirusScan On-Demand scan must be configured to detect for unwanted programs.
SI-3 - Medium - CCI-001241 - V-14654 - SV-55207r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM058
Vuln IDs
  • V-14654
Rule IDs
  • SV-55207r3_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. System AdministratorInformation Assurance Officer
Checks: C-48805r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Items tab, locate the "Options:" label. Ensure the "Detect unwanted programs" option is selected. Criteria: If "Detect unwanted programs" is selected, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key. [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Spyware] ApplyNVP=1 is present, this is not a finding.

Fix: F-48061r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Items tab, locate the "Options:" label. Select the "Detect unwanted programs" option. Select Save.

b
McAfee VirusScan Buffer Overflow Protection Policies must be configured to enable Buffer Overflow Protection.
SI-3 - Medium - CCI-001242 - V-14657 - SV-55235r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM130
Vuln IDs
  • V-14657
Rule IDs
  • SV-55235r1_rule
Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Buffer overflow protection is only configurable on non-64-bit systems. System AdministratorInformation Assurance Officer
Checks: C-48825r3_chk

NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected. Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPEnabled is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48090r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Enable buffer overflow protection" option. Select Save.

b
McAfee VirusScan Buffer Overflow Protection Policies must be configured for Protection mode.
SI-3 - Medium - CCI-001242 - V-14658 - SV-55236r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM131
Vuln IDs
  • V-14658
Rule IDs
  • SV-55236r1_rule
Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Protection mode will ensure buffer overflow is detected and blocked. Otherwise, only a warning message will be logged. Buffer overflow protection is only configurable on non-64-bit systems. System AdministratorInformation Assurance Officer
Checks: C-48826r3_chk

NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Protection mode" option is selected. Criteria: If the "Protection mode" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPMode is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48091r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Protection mode" option. Select Save.

b
McAfee VirusScan Buffer Overflow Protection Policies must be configured to display a dialog box when a buffer overflow is detected.
SI-3 - Medium - CCI-001242 - V-14659 - SV-55237r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM132
Vuln IDs
  • V-14659
Rule IDs
  • SV-55237r1_rule
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling. Ensuring the antivirus software alerts the users when a buffer overflow is detected will ensure the user is aware of the incident and be able to more closely relate the incident to actions being performed by the user at the time of the detection.System AdministratorInformation Assurance Officer
Checks: C-48827r3_chk

NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Client system warning:" label. Ensure the "Show the messages dialog box when a buffer overflow is detected" option is selected. Criteria: If the "Show the messages dialog box when a buffer overflow is detected" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value BOPShowMessages is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48092r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Client system warning:" label. Select the "Show the messages dialog box when a buffer overflow is detected" option. Select Save.

b
McAfee VirusScan Buffer Overflow Protection Policies must be configured to record scanning activity in a log file.
SI-3 - Medium - CCI-001242 - V-14660 - SV-55239r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM133
Vuln IDs
  • V-14660
Rule IDs
  • SV-55239r1_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. System AdministratorInformation Assurance Officer
Checks: C-48829r2_chk

NOTE: Buffer Overflow Protection is not installed on 64-bit systems and would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log to file:" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value bLogToFile_Ent is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48094r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
McAfee VirusScan Buffer Overflow Protection Policies log file size must be restricted and be configured to at least 10MB.
SI-3 - Medium - CCI-001242 - V-14661 - SV-55238r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM134
Vuln IDs
  • V-14661
Rule IDs
  • SV-55238r1_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value. System AdministratorInformation Assurance Officer
Checks: C-48828r3_chk

NOTE: Buffer Overflow Protection is not installed on 64-bit systems and would be Not Applicable to 64-bit systems. NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log file size:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLimitSize_Ent is 1 and dwMaxLogSizeMB_Ent is configured to Decimal (10) or higher, this is not a finding. If the bLimitSize_Ent is 0 or if dwMaxLogSizeMB_Ent is less than Decimal (10), this is a finding.

Fix: F-48093r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Reports tab, locate the "Log file size" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more. Select Save.

b
McAfee VirusScan Unwanted Programs Policies must be configured to detect spyware.
SI-3 - Medium - CCI-001243 - V-14662 - SV-55241r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM135
Vuln IDs
  • V-14662
Rule IDs
  • SV-55241r1_rule
Spyware is software that aids in gathering information about a person or organization without their knowledge, and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the user's knowledge. Spyware may try to deceive users by bundling itself with desirable software. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Some types of spyware disable software firewalls and antivirus software. Detecting, blocking, and eradicating malicious spyware or preventing it from being installed will alleviate the negative side effects of the spyware. System AdministratorInformation Assurance Officer
Checks: C-48830r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Ensure the "Spyware" option is selected. Criteria: If the "Spyware" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\NVP Criteria: If the value DetectSpyware is 1, this is not a finding.

Fix: F-48095r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Select the "Spyware" option. Select Save.

b
McAfee VirusScan Unwanted Programs Policies must be configured to detect adware.
SI-3 - Medium - CCI-001243 - V-14663 - SV-55242r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM136
Vuln IDs
  • V-14663
Rule IDs
  • SV-55242r1_rule
Adware, like spyware, is, at best, an annoyance by presenting unwanted advertisement to the user of a computer, sometimes in the form of a popup. At worst, it redirects the user to malicious websites. Detecting and blocking will mitigate the likelihood of users being tricked into visiting sites with malicious content. System AdministratorInformation Assurance Officer
Checks: C-48831r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Ensure the "Adware" option is selected. Criteria: If the "Adware" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\NVP Criteria: If the value DetectAdware is 1, this is not a finding.

Fix: F-48096r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Unwanted Programs Policies. Under the Scan Items tab, locate the "Select categories of unwanted programs to detect:" label. Select the "Adware" option. Select Save.

c
The antivirus signature file age must not exceed 7 days.
SI-3 - High - CCI-001240 - V-19910 - SV-55133r2_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001240
Version
DTAG008
Vuln IDs
  • V-19910
Rule IDs
  • SV-55133r2_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. System Administrator
Checks: C-48771r13_chk

Guidance in DTAM016 requires updates be run daily, automatically or manually. If compliant, the DAT date will be within 24-48 hours old. Since automated update tasks’ success is not guaranteed, the expectation is for update task success to be frequently monitored and corrected when unsuccessful. To allow for that correction, the minimum acceptable threshold for DAT date is not to exceed 7 days. On the client machine, right-click on the McAfee red shield icon in the taskbar. Choose "About". Scroll down to the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" section. Review the date for "DAT Created On:". Criteria: If the "DAT Created On:" date is older than 7 days from the current date, this is a finding. From the ePO server console System Tree, select the "Systems" tab, select the asset to be checked, and double-click to open its properties. Under the System Information, scroll down to the VirusScan Enterprise section and click on the "More" link in the top-right portion of the VirusScan Enterprise section. Scroll down to the General section and confirm the DAT Date reflected is within the last 7 days. Criteria: If the DAT Date is older than 7 days from the current date, this is a finding. NOTE: If the vendor or trusted site's files are also older than 7 days and match the date of the signature files on the machine, this is not a finding.

Fix: F-47990r1_fix

Update client machines via ePO client task. If this fails to update the client, update antivirus signature files as your local process describes (e.g., auto update or runtime executable.)

b
McAfee VirusScan On-Access General Policies Artemis sensitivity level must be configured to medium or higher.
SI-3 - Medium - CCI-001242 - V-35027 - SV-55243r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM137
Vuln IDs
  • V-35027
Rule IDs
  • SV-55243r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems. System Administrator
Checks: C-48832r3_chk

NOTE: For systems on the SIPRnet, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the "Medium" option, or higher, is selected. Criteria: If the "Medium" option, or higher, is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding. If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding. If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.

Fix: F-48097r3_fix

NOTE: For systems on the SIPRnet, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option. Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies, When a threat is found, must be configured to clean attachments as the first action and delete attachments if the first action fails.
SI-3 - Medium - CCI-001243 - V-42493 - SV-55180r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM162
Vuln IDs
  • V-42493
Rule IDs
  • SV-55180r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-48789r5_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that for the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected. Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uSecAction is not 4, this is a finding.

Fix: F-48034r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. For the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments". Select Save.

b
McAfee VirusScan On Delivery Email Scan Policies must be configured to delete attachments if the first action fails for when an unwanted program is found.
SI-3 - Medium - CCI-001243 - V-42500 - SV-55190r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM163
Vuln IDs
  • V-42500
Rule IDs
  • SV-55190r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-48793r5_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected. Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions Criteria: If the value for uSecAction_Program is not 4, this is a finding.

Fix: F-48044r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments". Select Save.

c
McAfee VirusScan Access Protection Policies must be configured to prevent McAfee services from being stopped.
SI-3 - High - CCI-001242 - V-42516 - SV-55244r2_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001242
Version
DTAM138
Vuln IDs
  • V-42516
Rule IDs
  • SV-55244r2_rule
When the Prevent McAfee services from being stopped check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects VirusScan from being disabled by malicious programs that seek to circumvent virus protection programs by terminating their services.
Checks: C-48834r4_chk

Note: If the HIPS signature 3892 is enabled to provide the "Prevent termination of McAfee processes" protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection settings:" label. Ensure the "Prevent McAfee services from being stopped" option is selected. Criteria: If the "Prevent McAfee services from being stopped" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of PVSPTEnabled is REG_DWORD = 1, this is not a finding.

Fix: F-48098r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection settings:" label. Select the "Prevent McAfee services from being stopped" option. Select Save.

b
McAfee VirusScan Access Protection Policies must be configured to record scanning activity in a log file.
AU-3 - Medium - CCI-000130 - V-42517 - SV-55245r2_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
DTAM139
Vuln IDs
  • V-42517
Rule IDs
  • SV-55245r2_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Checks: C-48835r4_chk

Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Access Protection Policies. Under the Reports tab, locate the "Log to file:" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected. Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLogToFile is REG_DWORD = 1, this is not a finding.

Fix: F-48099r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Access Protection Policies. Under the Reports tab, locate the "Log to file:" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option. Select Save.

b
McAfee VirusScan Access Protection log file size must be restricted and be configured to at least 10MB.
AU-5 - Medium - CCI-000140 - V-42518 - SV-55246r2_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
DTAM140
Vuln IDs
  • V-42518
Rule IDs
  • SV-55246r2_rule
While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.
Checks: C-48836r5_chk

Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Access Protection Policies. Under the Reports tab, locate the "Log file size:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is 10MB or more. Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is 10MB or more, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding.

Fix: F-48100r1_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Access Protection Policies. Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of at least 10MB or more. Select Save.

b
McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee files and settings.
CM-5 - Medium - CCI-001813 - V-42519 - SV-55247r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
DTAM141
Vuln IDs
  • V-42519
Rule IDs
  • SV-55247r2_rule
Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
Checks: C-48837r5_chk

Note: If the HIPS signature 3898 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee files and settings" (Block and Report) options are both selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee files and settings" (Block and Report) options are selected. Criteria: If "Prevent modification of McAfee files and settings" (Block and Report) options are both selected, this is not a finding.

Fix: F-48101r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent modification of McAfee files and settings" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Common Management Agent files and settings.
CM-5 - Medium - CCI-001813 - V-42520 - SV-55248r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
DTAM142
Vuln IDs
  • V-42520
Rule IDs
  • SV-55248r2_rule
Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
Checks: C-48838r6_chk

Note: If the HIPS signature 3899 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are selected. Criteria: If both "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are selected. Criteria: If "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are both selected, this is not a finding.

Fix: F-48102r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings.
CM-5 - Medium - CCI-001813 - V-42521 - SV-55249r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
DTAM143
Vuln IDs
  • V-42521
Rule IDs
  • SV-55249r2_rule
Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
Checks: C-48839r6_chk

Note: If the HIPS signature 3900 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding.

Fix: F-48103r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent termination of McAfee processes.
AC-3 - Medium - CCI-000213 - V-42522 - SV-55250r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
DTAM144
Vuln IDs
  • V-42522
Rule IDs
  • SV-55250r2_rule
Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.
Checks: C-48840r5_chk

Note: If the HIPS signature 3892 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent termination of McAfee processes" (Block and Report) options are both selected. Criteria: If "Prevent termination of McAfee processes" (Block and Report) options are both selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent termination of McAfee processes" (Block and Report) options are selected. Criteria: If both "Prevent termination of McAfee processes" (Block and Report) options are selected, this is not a finding.

Fix: F-48104r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent termination of McAfee processes" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common programs are run from the Temp folder.
SI-3 - Medium - CCI-001243 - V-42523 - SV-55251r5_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM145
Vuln IDs
  • V-42523
Rule IDs
  • SV-55251r5_rule
This rule will block common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: "don't open attachments from email." The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.
Checks: C-48841r9_chk

Note: If the HIPS signatures 7010 and 7035 are enabled to provide this same protection, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.

Fix: F-48105r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select the "Prevent common programs from running files from the temp folder" (Block and Report) option. Select Save.

b
McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent hooking of McAfee processes.
SI-3 - Medium - CCI-001243 - V-42524 - SV-55252r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM146
Vuln IDs
  • V-42524
Rule IDs
  • SV-55252r2_rule
Hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls, messages, or events passed between software components. Code that handles such intercepted function calls, events, or messages is called a 'hook'. Hooking can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. This rule prevents other processes from hooking of McAfee processes.
Checks: C-48842r5_chk

Note: If the HIPS signature 6051 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent hooking of McAfee processes" (Block and Report) options are selected. Criteria: If both "Prevent hooking of McAfee processes" (Block and Report) options are selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent hooking of McAfee processes" (Block and Report) options are both selected. Criteria: If "Prevent hooking of McAfee processes" (Block and Report) options are both selected, this is not a finding.

Fix: F-48106r1_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent hooking of McAfee processes" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Common Maximum Protection must be set to detect and log launching of files from the Downloaded Programs Files folder.
SC-18 - Medium - CCI-001169 - V-42525 - SV-55253r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001169
Version
DTAM147
Vuln IDs
  • V-42525
Rule IDs
  • SV-55253r2_rule
A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the Downloaded Program Files folder. This rule is specific to Microsoft Internet Explorer and prevents software installations through the web browser. Internet Explorer runs code from the Downloaded Program Files directory, notably ActiveX controls. Some vulnerabilities in Internet Explorer and viruses place an .exe file into this directory and run it. This rule closes that attack vector.
Checks: C-48843r5_chk

Note: If the HIPS signature 3910 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Ensure the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected. Criteria: If the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Ensure the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected. Criteria: If the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected, this is not a finding.

Fix: F-48107r1_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Select the "Prevent launching of files from the Downloaded Program Files folder" (Report) option. Select Save.

b
McAfee VirusScan Access Protection: Anti-Spyware Maximum Protection must be set to block and log execution of scripts from the Temp folder.
SI-3 - Medium - CCI-001243 - V-42526 - SV-55254r6_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM148
Vuln IDs
  • V-42526
Rule IDs
  • SV-55254r6_rule
This rule prevents the Windows scripting host from running VBScript and JavaScript scripts from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many adware and spyware applications.
Checks: C-48844r10_chk

Note: If the HIPS signature 7035 is enabled to provide this same protection, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected, this is not a finding.

Fix: F-48108r5_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent execution of scripts from the Temp folder" (Block and Report) option. Select Save.

b
McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent remote creation of autorun files.
SI-3 - Medium - CCI-001242 - V-42527 - SV-55255r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM149
Vuln IDs
  • V-42527
Rule IDs
  • SV-55255r2_rule
Autorun files are used to automatically launch program files, typically setup files from CDs. Preventing other computers from making a connection and creating or altering autorun.inf files can prevent spyware and adware from being executed. There are many spyware and virus programs distributed on CDs.
Checks: C-48845r5_chk

Note: If the HIPS signature 3886 is enabled to provide this same protection, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure both "Prevent remote creation of autorun files" (Block and Report) options are selected. Criteria: If both "Prevent remote creation of autorun files" (Block and Report) options are selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent remote creation of autorun files" (Block and Report) options are both selected. Criteria: If "Prevent remote creation of autorun files" (Block and Report) options are both selected, this is not a finding.

Fix: F-48109r1_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent remote creation of autorun files" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent mass mailing worms from sending mail.
SC-18 - Medium - CCI-001170 - V-42528 - SV-55256r2_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
DTAM150
Vuln IDs
  • V-42528
Rule IDs
  • SV-55256r2_rule
Many viruses and worms find email addresses on the infected system and send themselves to these addresses. They do this by connecting directly to the email servers whose names they have harvested from the local system. This rule prevents any process from talking to a foreign email server using SMTP. By blocking this communication, a machine may become infected with a new mass mailing virus, but that virus will be unable to spread further by email. It prevents outbound access to SMTP ports 25 and 587 on all programs except known email clients listed as an exclusion.
Checks: C-48846r5_chk

NOTE: If the system being reviewed has the function of sending email via the SMTP protocol, this setting is not applicable. NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent mass mailing worms from sending email" (Block and Report) options are both selected. Click Edit. Under the "Processes to exclude:" section, verify no processes are listed. If any processes are listed, they must be documented with, and approved by, the IAO/IAM. Criteria: Criteria: If "Prevent mass mailing worms from sending email" (Block and Report) options are not both selected, this is a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, and any listed "Processes to exclude:" are approved by the IAO/IAM, this is not a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, but listed "Processes to exclude:" have not been approved by the IAO/IAM, this is a finding. Registry keys are not available for this setting. To validate from client side, Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent mass mailing worms from sending email" (Block and Report) options are both selected. Click Edit. Under the "Processes to exclude:" section, verify no processes are listed. If any processes are listed, they must be documented with, and approved by, the IAO/IAM. Criteria: If "Prevent mass mailing worms from sending email" (Block and Report) options are not both selected. This is a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, and any listed "Processes to exclude:" are approved by the IAO/IAM, this is not a finding. If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, but listed "Processes to exclude:" have not been approved by the IAO/IAM, this is a finding.

Fix: F-48110r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent mass mailing worms from sending email" (Block and Report) options. Select Save.

b
McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent IRC communication.
SC-18 - Medium - CCI-001170 - V-42529 - SV-55257r3_rule
RMF Control
SC-18
Severity
Medium
CCI
CCI-001170
Version
DTAM151
Vuln IDs
  • V-42529
Rule IDs
  • SV-55257r3_rule
Internet Relay Chat (IRC) is the preferred communication method used by botnet herders and remote-access trojans to control botnets (a set of scripts or an independent program that connects to IRC). IRC allows an attacker to control infected machines that are sitting behind network address translation (NAT), and the bot can be configured to connect back to the command and control server listening on any port.
Checks: C-48847r8_chk

NOTE: If IRC Communication is enabled on a Classified network, in accordance with published Ports, Protocols, and Services Management (PPSM) guidelines, this requirement is not applicable. NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure both "Prevent IRC communication" (Block and Report) options are selected. Criteria: If both "Prevent IRC communication" (Block and Report) options are selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure both "Prevent IRC communication" (Block and Report) options are selected. Criteria: If both "Prevent IRC communication" (Block and Report) options are selected, this is not a finding.

Fix: F-48111r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent IRC communication" (Block and Report) options. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to not exclude any script processes from being scanned unless the process exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
SI-3 - Medium - CCI-001242 - V-42530 - SV-55258r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM152
Vuln IDs
  • V-42530
Rule IDs
  • SV-55258r2_rule
Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be excluded from scanning. In the unlikely event that excluding scanning a script impacts the operational function and/or availability of a system, and reasonable mitigation efforts have been put into place, the exclusion may be put into place but must be documented with, and approved by, the ISSO/ISSM/DAA.
Checks: C-48848r3_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan exclusions:" label. Ensure there are no exclusions listed in the Process field. Criteria: If there are no exclusions listed in the Process field, this is a not finding. If there are exclusions listed in the Process field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding. If there are exclusions listed in the Process field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the ExcludedProcesses REG_MULTI_SZ has any entries, and the excluded processes have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.

Fix: F-48112r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan exclusions" label. Remove any exclusions listed in the Process field.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to not exclude any files from being scanned unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
SI-3 - Medium - CCI-001242 - V-42531 - SV-55259r5_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM153
Vuln IDs
  • V-42531
Rule IDs
  • SV-55259r5_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48849r7_chk

Note: Exclusions must be documented and approved by the ISSO, ISSM, and/or AO. If the site has both an ISSO and an ISSM, the exclusions must be documented by the ISSO and approved by the ISSM or as determined by internal approval structure in the organization. If only an ISSO or ISSM is at site, they will be responsible for both documenting and approving. If neither an ISSO nor ISSM is at the site, the approval falls to the AO. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed. If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO. Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value NumExcludeItems is 0, this is not a finding. If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/AO, this is a finding. If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.

Fix: F-48113r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.

b
McAfee VirusScan On-Demand scan must be configured to scan memory for rootkits.
SI-3 - Medium - CCI-001241 - V-42532 - SV-55260r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAM154
Vuln IDs
  • V-42532
Rule IDs
  • SV-55260r3_rule
A rootkit is a stealthy type of software, usually malicious, and is designed to mask the existence of processes or programs from normal methods of detection. Rootkits will often enable continued privileged access to a computer. Scanning and handling detection of rootkits will mitigate the likelihood of rootkits being installed and used maliciously on the system.
Checks: C-48850r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Locations to scan:" label. Ensure the "Memory for rootkits" option is displayed. Criteria: If "Memory for rootkits" is displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [ScanItems] szScanItemX=SpecialScanForRootkits is present, this is not a finding. For the values of szScanItemX, the character X represents some integer =>0. Example: szScanItem0=All fixed disks, szScanItem1=SpecialMemory.

Fix: F-48114r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Locations tab, locate the "Locations to scan:" label. In the drop-down menus, select "Memory for rootkits". Select Save.

b
McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to clean files automatically as first action.
SI-3 - Medium - CCI-001243 - V-42533 - SV-55261r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM155
Vuln IDs
  • V-42533
Rule IDs
  • SV-55261r3_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48851r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure that for the "Perform this action first:" pull down menu, "Clean files" is selected. Criteria: If "Clean files" is selected for "Perform this action first", this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Spyware] uAction_Program=5, this is not a finding.

Fix: F-48115r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Actions tab, locate the "When an unwanted program is found:" label. For the "Perform this action first:" pull down menu, select "Clean files". Select Save.

b
McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
SI-3 - Medium - CCI-001243 - V-42534 - SV-55262r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM164
Vuln IDs
  • V-42534
Rule IDs
  • SV-55262r3_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48852r4_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete files" is selected. Criteria: If "Delete files" is selected for "If the first action fails, then perform this action:", this is not a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Task (32-Bit) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Spyware] uSecAction_Program=4, this is not a finding.

Fix: F-48116r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files". Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies Artemis sensitivity level must be configured to medium or higher.
CM-6 - Medium - CCI-000366 - V-42536 - SV-55264r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
DTAM157
Vuln IDs
  • V-42536
Rule IDs
  • SV-55264r2_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48854r6_chk

Note: For systems on the SIPRNet, this check is Not Applicable. Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the Sensitivity level is set to "Medium" or higher. Criteria: If the Sensitivity level is set to "Medium" or higher, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding. If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding. If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.

Fix: F-48118r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option. Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001243 - V-42537 - SV-55265r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM158
Vuln IDs
  • V-42537
Rule IDs
  • SV-55265r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments, and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses, but are self-contained, rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-48855r3_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Email alert for user:" label. Ensure that "Send alert to mail user:" is selected. Verify that the email recipient information is complete for a notification email to be sent to the IAO/IAM and/or ePO administrator. Criteria: If the option "Send alert to mail user:" is selected and the email recipient information is complete for a notification email to be sent to the IAO, IAM, ePO administrator or System Administrator, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\AlertOptions Criteria: If the value bSendMailToUser is 0, this is a finding. If the value for szSendTo is configured to any recipient other than the IAO, IAM, ePO Administrator, or System Administrator, this is a finding.

Fix: F-48119r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Alerts tab, locate the "Email alert for user:" label. Select the "Send alert to mail user:" option. Enter the email recipient information for the notification email to be sent to the IAO/IAM and/or ePO administrator. Select Save.

b
McAfee VirusScan On-Delivery Email Scan Policies must be configured to log session summary and failure to scan encrypted files.
AU-3 - Medium - CCI-000130 - V-42538 - SV-55266r4_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
DTAM159
Vuln IDs
  • V-42538
Rule IDs
  • SV-55266r4_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Checks: C-48856r5_chk

Note: If an email client is not running on this system, this check can be marked as Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Reports tab, locate the "What to log in addition to scanning activity" label. Ensure the "Session summary", and "Failure to scan encrypted files" options are selected. Criteria: If the "Session summary" and "Failure to scan encrypted files" options are selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions Criteria: If the value dwLogEvent is not x120 (288) or x130 (304), this is a finding. x120 (288) indicates both Session summary and Failure to scan encrypted files are selected. x130 (304) indicates Session summary, Failure to scan encrypted files, and Session settings are all selected.

Fix: F-48120r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" and "Failure to scan encrypted files" options. Select Save.

b
McAfee VirusScan On-Access General Policies must be configured to not exclude any URL scripts from being scanned unless the URL exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
SI-3 - Medium - CCI-001242 - V-42539 - SV-55267r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM160
Vuln IDs
  • V-42539
Rule IDs
  • SV-55267r3_rule
Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be excluded from scanning. In the unlikely event that excluding scanning a script impacts the operational function and/or availability of a system, and reasonable mitigation efforts have been put into place, the exclusion may be put into place but must be documented with, and approved by, the ISSO/ISSM/DAA.
Checks: C-48857r3_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan exclusions:" label. Ensure there are no exclusions listed in the URL field. Criteria: If there are no exclusions listed in the URL field, this is a not finding. If there are exclusions listed in the URL field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding. If there are exclusions listed in the URL field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\Script Scanner Criteria: If the ExcludedURLs REG_MULTI_SZ has any entries, and the excluded URLs have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.

Fix: F-48121r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access General Policies. Under the ScriptScan tab, locate the "ScriptScan exclusions" label. Remove any exclusions listed in the URL field.

b
McAfee VirusScan Access Protection Policies must be configured to enable access protection.
SI-3 - Medium - CCI-001243 - V-42540 - SV-55268r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM161
Vuln IDs
  • V-42540
Rule IDs
  • SV-55268r3_rule
Access Protection prevents unwanted changes to a computer by restricting access to specified ports, files and folders, shares, and registry keys and values. It prevents users from stopping McAfee processes and services, which are critical before and during outbreaks. Access Protection for VSE uses predefined and user-defined rules to strengthen systems against virus attacks. For instance, rules are used to specify which items can and cannot be accessed. Each rule can be configured to block and/or report access violations when they occur, and rules can also be disabled.
Checks: C-48858r6_chk

NOTE: Access Protection must be enabled in order to afford protection identified in DTAM150 and DTAM151. If HIPS signatures are enabled to provide the same protection as DTAM138, DTAM139, DTAM140, DTAM141, DTAM142, DTAM143, DTAM144, DTAM145, DTAM146, DTAM147, DTAM148 and DTAM149, those checks may be individually marked as not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection settings:" label. Ensure the "Enable Access Protection" option is selected. Criteria: If the "Enable Access Protection" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value APEnabled is 1, this is not a finding.

Fix: F-48122r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection settings:" label. Select the "Enable Access Protection" option. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies must be configured to detect unwanted programs.
SI-3 - Medium - CCI-001242 - V-42541 - SV-55269r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM165
Vuln IDs
  • V-42541
Rule IDs
  • SV-55269r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-48859r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Ensure the "Detect unwanted programs" option is selected. Criteria: If the "Detect unwanted programs" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value ApplyNVP is 1, this is not a finding. If the value is 0, this is a finding.

Fix: F-48123r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Scan Items tab, locate the "Unwanted programs detection:" label. Place a check in the "Detect unwanted programs" checkbox. Select Save.

b
McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to clean files automatically as first action.
SI-3 - Medium - CCI-001242 - V-42542 - SV-55270r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM166
Vuln IDs
  • V-42542
Rule IDs
  • SV-55270r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-48860r2_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure that for the "Perform this action first:" pull down menu, "Clean files automatically" is selected. Criteria: If "Clean files automatically" is selected from "Perform this action first", this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uAction_Program does not have a value of 5, this is a finding.

Fix: F-48124r2_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "Perform this action first:" pull down menu, select "Clean files automatically". Click OK to Save.

b
McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
SI-3 - Medium - CCI-001242 - V-42543 - SV-55271r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAM167
Vuln IDs
  • V-42543
Rule IDs
  • SV-55271r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-48861r5_chk

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure the "If the first action fails, then perform this action:" has "Delete files automatically" selected. Criteria: If "Delete files automatically" is selected from the "If the first action fails, then perform this action:" drop-down list, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the uSecAction_Program does not have a value of 4, this is a finding.

Fix: F-48125r3_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically". Click OK to Save.

b
McAfee VirusScan Access Protection Rules Anti-Spyware Maximum Protection must be set to block and report when common all programs are run from the Temp folder.
SI-3 - Medium - CCI-001243 - V-59363 - SV-73793r3_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAM170
Vuln IDs
  • V-59363
Rule IDs
  • SV-73793r3_rule
This rule prevents all program from running files from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many adware and spyware applications. System Administrator
Checks: C-60139r3_chk

Note: If the HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.

Fix: F-64759r1_fix

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent all programs from running files from the Temp folder"(Block and Report) option. Select Save.